Login algorithm help

[jtrost]

Hello, I have a login function that kind of works.  I have 3 users in the DB, and it will log in all three users just fine, but it will only load session data for the first user in the DB.  If the second or third user login, the script hangs up before the line: while($row = mysql_fetch_row($result)) {

 

Here is the function:

 

function login()
{
    if ((isset($_POST['username'])) && (isset($_POST['password'])))
    {
        $sql = "SELECT * FROM `FC_users` WHERE `username` = '".$_POST['username']."' AND `password` = '".$_POST['password']."'"; 
        $result=mysql_query($sql);
        echo $sql;
        if (!$result)
        {
            echo 'Could not run query: ' . mysql_error()." ".$sql;
            exit;
        }

        while($row = mysql_fetch_row($result)) {
            ini_set("session.gc_maxlifetime","14400");
            
            // start the session
            $_SESSION['logged_in'] = 1;
            $_SESSION['id'] = $row[0];
            $_SESSION['username'] = $row[1];
            $_SESSION['password'] = $row[2];
            $_SESSION['firstname'] = $row[3];
            $_SESSION['lastname'] = $row[4];
            $_SESSION['email'] = $row[5];
            $_SESSION['city'] = $row[6];
        }
    }
}

 

Why does it work just fine for the first user in the DB, but not for any subsequent users?  Thanks.

 

[laffin]

why are u looping thru the records, ya shud only have 1 record with that username / password combo.

change

        }

        while($row = mysql_fetch_row($result)) {[code] to this[code]} else {

Everything else looks ok as coding logic goes.

 

But, ya do have another problem with the script, that is using $_POSTs (user sent data) directly in a query.

Which is a big nono. first validate than sanitize user input.

[jtrost]

Thanks for your suggestions.  I took the POST data out of the query, and will work on data validation later.  Right now I am concerned about logging in.  I took out the while loop, but the session data still is not loading.  Here is the new code:

function login()
{
    if ((isset($_POST['username'])) && (isset($_POST['password'])))
    {
        $user = $_POST['username'];
        $pass = $_POST['password'];
         
        $sql = "SELECT * FROM `FC_users` WHERE `username` = '".$user."' AND `password` = '".$pass."'"; 
        $result=mysql_query($sql);
        echo $sql;
        if (!$result)
        {
            echo 'Could not run query: ' . mysql_error()." ".$sql;
            exit;
        }

            $row = mysql_fetch_array($result);
            ini_set("session.gc_maxlifetime","14400");
            
            // start the session
            $_SESSION['logged_in'] = 1;
            $_SESSION['id'] = $row[0];
            $_SESSION['username'] = $row[1];
            $_SESSION['password'] = $row[2];
            $_SESSION['firstname'] = $row[3];
            $_SESSION['lastname'] = $row[4];
            $_SESSION['email'] = $row[5];
            $_SESSION['city'] = $row[6];
    }
}

 

 

[premiso]

Did you start the session by including session_start() at the top of each page before any output is sent to the browser?

[jtrost]

Did you start the session by including session_start() at the top of each page before any output is sent to the browser?

Yes, as I noted above, the session data can be loaded only when the first user in the DB (with the ID=1) logs in.  When users with ID=2 or 3 log in, the session data is not loaded at all.

 

[premiso]

If the script is hanging chances are there is an error.

 

Have you tried explicitly telling the script to display errors with the following:

error_reporting(E_ALL);
ini_set('display_errors', 1);

 

And see what the error is? My bet is either the mysql is throwing the error when retrieving the rows or the ini_set you have there is throwing an error for whatever reason.

 

If that is not it, when a user logs out are you destroying the sessions properly?